61

Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Page 2: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

<Insert Picture Here>

Transparent Data EncryptionDOAG Special Interest Day ORACLE and SAP – June 2007

Andreas BeckerSenior Member Technical StaffOracle Server Technologies - SAP Development

Page 3: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

<Insert Picture Here>

Agenda

• Transparent Data Encryption• Technical Overview• Demo• Technical Restrictions / Recommendations• Configuration and Support in SAP Environments

• Alternatives• RMAN Backup Encryption• Oracle Secure Backup

Page 4: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

<Insert Picture Here>

Encryption

• Network Encryption• Encryption of data in motion

• Transparent Data Encryption• Encryption of data at rest

Page 5: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

<Insert Picture Here>

“JP Morgan Chase has alerted thousands of its Chicago-area millionaire clients, as

well as some of its own employees, that it cannot locate a computer tape containing

their account information and Social Security numbers.”

JP Morgan Client Data LossThe Wall Street Journal,

May 2007

Page 6: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

The Need for Encryption

• Worldwide privacy, security laws and regulations• Sarbanes-Oxley• PCI (Payment Card Industry)• California SB 1386 (Nationwide soon?)• Country-specific laws

Data worthless if encryptedDisks replacedfor maintenanceCustomer Credit

Card Numbers Laptops stolenBackups lost

Page 7: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Database Encryption Release < 10.2

• Oracle8i, Oracle9i and Oracle Database 10g provided a PL/SQL API for encrypting data in the Enterprise Edition• DBMS_OBFUSCATION_TOOLKIT in Oracle9i, Oracle10g• DBMS_CRYPTO in Oracle Database 10g

• Application calls PL/SQL API to perform encryption• Typically requires database triggers, database views• No automated key management• Note that most 3rd party solutions today create triggers and

views to make their encryption solution look transparent• Oracle encryption API’s are used by customers today to encrypt

credit card numbers

Page 8: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

What our customers wanted

• “Privacy / regulatory compliance”(SB 1386, CISP/PCI)

• “Protection for data on backup tapes”• “Additional protection against operating system / data

file theft”• “Media theft / disk replacement”• “Let the database handle all aspects of encryption,

not the application”• “Make it easy and secure”

Page 9: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data Encryption

• Integrated with the Oracle database for simplicity• Alter table encrypt column …

• Provides application transparency• No API calls, database triggers, or views required

• Media protection of PII data• Social security numbers• Credit card numbers

• Performance• Works with existing indexes for

equality searches

Page 10: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE Key Features

• Encryption / decryption inside the database• Simple SQL Syntax:

• SQL> ALTER TABLE customers MODIFY (creditcardno ENCRYPT);

• Requires Advanced Security Option!• Only with Oracle Enterprise Edition• TDE Keys are managed by Oracle• Protects unauthorized access to database on file

system level / OS level

Page 11: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE Key Features

• Simply and easy encryption of sensitive data• Views or triggers are NOT needed• Protects confidential data without the

overhead of key management• Data on disk is encrypted, but decryption is

transparent for the application

Page 12: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Overview – the Big Picture

Data EncryptedOn Backup Files

DataWrittenTo Disk

AutomaticallyEncrypted

Oracle Advanced SecurityNetwork Encryption

Oracle Advanced SecurityStrong Authentication

Oracle Advanced SecurityTransparent Data Encryption

DataAutomatically

DecryptedThrough

SQL Interface

Page 13: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Separation of duties

DBA starts updatabase

Security DBA opens walletcontaining master key

Wallet password is separate fromsystem or DBA password

No access to wallet

Page 14: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Master key and column keys

Column keys encryptedby master key

Master key storedin PKCS#12 wallet

Security DBA opens walletcontaining master key Column keys encrypt

data in columns

Page 15: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionConfiguration steps

5 steps to setup TDE:1. Identify tables and columns containing sensitive

data2. Does TDE support the datatype of the column?3. Is column part of a foreign key?

(should not be relevant in SAP environments)4. Setup and initialize wallet and master key5. Encrypt existing data and new data in encrypted

table column

Page 16: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

D E M O N S T R A T I O N

Transparent Data Encryption (TDE)

Page 17: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Prepare the Database

• Create a wallet and generate the master keyalter system set key identified by “e3car61”

• Open the wallet:alter system set wallet open identified by “e3car61”

Page 18: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Encrypting columns

• Encrypt a column in an existing table:alter table credit_rating modify (person_id encrypt);

• Create a new table with an encrypted column:create table orders (order_id number(12),customer_id number(12),credit_card varchar2(16) encrypt);

Page 19: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Which algorithms are used?

• Default: AES with 192 bits:alter table credit_rating modify (person_id encrypt)

• Example with other algorithms:

create table employee (first_name varchar2(64),last_name varchar2(64),empID NUMBER encrypt using ‘AES256’,salary NUMBER(6) encrypt using ‘AES256‘)

Page 20: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE – Available Algorithms

• Triple DES (Data Encryption Standard) 3DES168 • AES (Advanced Encryption Standard) AES128 • AES192 (default) • AES256

Page 21: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Performance?

• Equality searches possible when not salted

Alter table credit_rating modify(person_id encrypt no salt)

Create index person_id_idx on credit_rating (PERSON_ID)

Select score from credit_rating where PERSON_ID='235901';

Encryptperson_id

Page 22: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Performance?

• Equality searches possible when not salted

Alter table credit_rating modify(person_id encrypt no salt)

Create index person_id_idx on credit_rating (PERSON_ID)

Select score from credit_rating where PERSON_ID='235901';

Create index overencrypted column

Page 23: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Performance?

• Equality searches possible when not salted

Alter table credit_rating modify(person_id encrypt no salt)

Create index person_id_idx on credit_rating (PERSON_ID)

Select score from credit_rating wherePERSON_ID='235901';

Application remainsunchanged

Page 24: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionOverhead

Storage • 33-48 Bytes per row per encrypted column

Performance• ~5%• Very customer/system-specific• Depends on

• # tables• Size of tables• How tables are accessed

Page 25: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionSALT vs. NO SALT

SALT• A random string is added to clear text before it is encrypted• Multiple occurrences of same clear text appear different when

encrypted with salt• Increased security• Against pattern matching attack from hackers• But: encrypted columns which are part of an index must be

encrypted with NO SALT

Page 26: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionChange Wallet Password

• Wallet password is independent from• Master key• Column keys• SYSTEM password• SYS password

• Wallet manager supports password policy• At least 8 characters• Must contain number or special characters

Page 27: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionExport of table data

Export of encrypted data is only supported with data pump:

• Using ‘exp’ utility: • EXP-00107: Feature (string) of column string in table

string.string is not supported. The table will not be exported.

• Using ‘expdp’ data pump without encryption password:• ORA-39173: Encrypted data has been stored unencrypted in

dump file set.

• Using ‘expdp’ data pump with encryption password: OK

Page 28: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE Administration

SQL> desc dba_encrypted_columnsName Null? Type------------------------ -------- -------------OWNER NOT NULL VARCHAR2(30)TABLE_NAME NOT NULL VARCHAR2(30)COLUMN_NAME NOT NULL VARCHAR2(30)ENCRYPTION_ALG VARCHAR2(29)SALT VARCHAR2(3)

Page 29: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionWhen you loose your wallet…

• Loosing your wallet is the most secure way to delete your data

• A wallet cannot be recovered (even with the same wallet password)

• Wallet password and master key are not related• Recommendation: back up your wallet frequently

• After change of wallet password• After change of master key• After column rekey

• Perform change of master key (master rekey) offline

Page 30: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Re-key the master key

• Security policy might require periodic update• Command:alter system set key identified by “2naf1sh”

• Password and master key are independent

• Re-encrypts all column keys

Page 31: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Re-keying the column keys

• Without changing the encryption algorithm:ALTER TABLE employee REKEY;

• Re-key the column key and change the algorithm:ALTER TABLE employee REKEY USING 'AES256';

• Change the algorithm, without re-keying the column keys:ALTER TABLE employee ENCRYPT USING 'AES128';

Page 32: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE and Data Guard

• Production Database • Physical Standby

Data EncryptedOn Backup Files

Redo apply

redo logs containencrypted data

Page 33: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Supported data types

• varchar2• nvarchar2• number• date• binary_float (*)• binary_double (*)• timestamp• raw• char• nchar• interval day to second• interval year to month

Page 34: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE - Unsupported data types

• LONG/LONG RAW• LOB/BLOB

• SQL> create table test (c1 long encrypt)* ORA-28330: encryption is not allowed for this data type

Page 35: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE - Unsupported database features

• Materialized View logs• Streams• Sync and async CDC (Change Data Capture)• Direct path insert• LOBs• Transportable Tablespaces

Page 36: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE - restrictions

• Transparent Data Encryption does not work with the following database features• Index types other than B-tree• Range scan search through an index• Large object datatypes such as BLOB and CLOB• Original import / export utilities• Other database tools and utilities that directly access data

files

Page 37: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

How Oracle Advanced Security helps with CISP/PCI

• Section 3.4: Render sensitive cardholder information unreadable anywhere it is stored

• Transparent Data Encryption, part of the Oracle Advanced Security Option, encrypts any column with 3DES 128 bit or AES256, as required.

• Both TDE and Network Encryption, part of the Oracle Advanced Security Option, provide SHA-1 for hashing

Page 38: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

How Oracle Advanced Security helps with CISP/PCI

• Section 3.5 (incl. 3.5.1. and 3.5.2.): Protect encryption keys against both disclosure and misuse, restrict access and store securely.

• Transparent Data Encryption stores the master key in the Oracle Wallet, and the encrypted column keys in the database

• Intruder would need access to OS file to get to wallet and database access to get to encrypted column keys.

Page 39: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

How Oracle Advanced Security helps with CISP/PCI

• Section 4: Encrypt transmission of cardholder and sensitive information across public networks:

• Network Encryption, part of ASO, provides encryption of all traffic between Oracle Database and Oracle Application Server

Page 40: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionRecommendations

• Do not misuse TDE as an authorization method

• Do not encrypt all your data – only data that needs to be protected

Page 41: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionRecommendations (cont’d)

• NEVER LOOSE YOUR WALLET!!• WITHOUT WALLET DATA LOSS

• BACK UP YOUR WALLET!!• WITHOUT CURRENT WALLET DATA LOSS

• NEVER FORGET YOUR WALLET PASSWORD!• WITHOUT WALLET PASSWORD DATA LOSS

Page 42: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionRecommendations (cont’d)

• Rekey Operations• Rekey master key: how often?

• Depends on regulations (SB1386, Sarbanes-Oxley)• Regularly, but not too often (~once a year)• Maximum number of TDE master keys is limited due to

limited wallet size • 10.2.0.2: max wallet size=64k (~240 master keys)• 10.2.0.4: max wallet size=4M (>15M )

• Rekey column Key: • Depending on your regulations• Full table update

Page 43: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionRecommendations (cont’d)

Wallet Management • Wallet password

• Initially set when wallet is created • SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED

BY “<wallet password>”;• Can be changed only in wallet manager (not via SQL or command

line tool)• Re Key (=generate new) masterkey

• Via SQL: SQL> alter system set encryption key …• Not from wallet manager

• Backup your wallet• Backup of wallet must be part of your backup / recovery strategy• After change of wallet password• After every rekey operation

Page 44: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Transparent Data EncryptionRecommendations (cont’d)

Wallet Management• One encryption wallet per database• Do not use autologin wallet• No support for multiple encryption_wallet_location

• Only one wallet location in sqlnet.ora

Page 45: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE in an SAP environmentTDE Candidates

• Do NOT encrypt tables belonging to SAP core application

SAP system should be startable without wallet• Do not encrypt tables used by BR*Tools• Do not encrypt all tables (~100 should be enough)• When column is used in an index non-salted

Page 46: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE Support in SAP BR*TOOLS

• ENCRYPTION_WALLET_LOCATION parameter must be configured in sqlnet.ora to override Oracle default path

• Location of encryption wallet in SAP environment:• $ORACLE_HOME/dbs (Unix)• %ORACLE_HOME%\database (Windows)

• BR*Tools support backup and restore of encryption wallet ewallet.p12• Prerequisite: encryption wallet exists in

$ORACLE_HOME/dbs resp. %ORACLE_HOME%\database• Auto-Login encryption wallet (cwallet.sso, if exist) will

not get backed up by BR*Tools

Page 47: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE Support in SAP Dictionary

• No support for TDE in SAP dictionary at the moment

Page 48: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Alternate Solutions

Instead of using TDE encryption you could also use one of the following options:

• RMAN Backup Encryption (ASO required)currently under evaluation

• RMAN now creates encrypted backups that cannot be restored by unauthorized people

• Oracle Secure Backup (OSB)• OSB provides an optimized, highly efficient tape backup

solution for the Oracle Database. OSB can store data on tape in encrypted form, providing protection against theft of backup tapes.

Page 49: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Oracle Secure Backup

• Integrated tape backup:• Oracle database• Operating system files

• Encryption of data to tape• Data at-rest protection

• Tape data protection• At the lowest cost

Oracle Secure BackupCentralized Tape Backup Management

File System DataFile System Data

UNIX Linux

Windows NAS

Oracle DatabasesOracle Databases

RMAN

Page 50: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Why Oracle Secure Backup?

• Encryption of data to tape• Protects against misuse of business data

• Oracle database manages encryption keys• Certificate based authentication

• Outside parties cannot impersonate host

• Reduces cost of secure tape backups• Only $3,000 per tape device

• Runs on Linux, Windows & UNIX• Supports over 200 tape devices

Page 51: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

• Oracle Recovery Manager (RMAN)• Oracle default tool for database backups

• To disk or tape (MML)• Encryption of Backup

• Advanced Encryption Standard (AES) • Authentication: via user-defined

password or via Oracle Wallet• ASO required

Database Area

Media Management Layer

RMAN

DIGITAL DATA STORAGE DIGITAL DATA STORAGEDIGITAL DATA STORAGE

Flash Recovery

Area

RMAN Backup Encryption

Page 52: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

TDE – OSB – RMAN Backup Encryption

• TDE• Encryption of sensible data in database files on OS / file-system level• Encryption of sensible data in backups (disk and tape)• Encryption of sensible data in archive logs (LogMiner)• ASO license required

• Oracle Secure Backup (OSB)• Encryption of backups to tape only (not backup to disk)• No encryption of sensible data in database files• No encryption of sensible data in archive logs• Requires separate OSB license

• RMAN Backup Encryption (ASO required)• Encryption of backups to disk and to tape• No encryption of sensible data in database files• No encryption of sensible data in archive logs• ASO license required

Page 53: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

For More Information

http://search.oracle.com

Transparent Data Encryption

Advanced Security

Oracle Database Security Checklist

orhttp://www.oracle.com/security

Page 54: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

SAP Notes

http://service.sap.com/notes• 974876: Transparent Data Encryption• 973450: Network Encryption

Page 55: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Oracle Metalink Notes

https://metalink.oracle.com/• Note 317311.1: 10g R2 New Feature TDE:

Transparent Data Encryption• Note 317317.1: How to Export/Import with Data

Encrypted with Transparent Data Encryption (TDE)

Page 56: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Oracle Technology Network

• Oracle Database 10ghttp://www.oracle.com/technology/products/database/oracle10g/index.html

• Oracle Database Securityhttp://www.oracle.com/technology/deploy/security/database-security/index.html

• Oracle Advanced Securityhttp://www.oracle.com/technology/deploy/security/database-security/advanced-security/index.html

• Oracle Advanced Security – Transparent Data Encryption TDEhttp://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html

Page 57: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Oracle Technology Network

• TDE – Frequently Asked Questions (FAQ)http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/tde_faq.html

• ASO Data Sheethttp://www.oracle.com/technology/deploy/security/database-security/pdf/ds_security_db_advancedsecurity_10gR2_062006.pdf

• Oracle Secure Backuphttp://www.oracle.com/database/secure-backup.html

• Oracle Security Checklisthttp://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf

Page 58: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

DOAG e.V. Server

Deutsche ORACLE-Anwendergruppe e.V. Special Interest Days: Oracle + SAPhttp://www.doag.org/public/sig/sap/

Page 59: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

TDEPilot Customers

Wanted

Page 60: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007

Page 61: Andreas Becker, DOAG Special Interest Day ORACLE und ......Customer Credit for maintenance Card Numbers Laptops stolen Backups lost Andreas Becker, DOAG Special Interest Day ORACLE

Andreas Becker, DOAG Special Interest Day ORACLE und SAP, 27.6.2007